Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode 2 - Make the Right Decision - Implement a Program!

Lauro, Mike, and Zach reveal the biggest failure that companies make when it comes to cybersecurity. We discuss what steps leaders can take to implement a program within their organization. The team talks about cybersecurity in business and how to mitigate cyber risks. The team also provides ideas for companies to use additional incentives with staff in order to help minimize cyber risk related to the human element.

Pick up your copy of Cyber Rants on Amazon.
Be sure to rate the podcast, leave us a review, and subscribe! 

welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting raving and telling you the  
stuff that nobody talks about on their fancy  website and trade show giveaways all to help  
you protect your company from cyber criminals  and now here's your hosts michael rotondo zack  
fuller and lauro chavez welcome back to the cyber  rants podcast this is your co-host zach fuller  
joined by lauro chavez and michael rotondo  uh we have a good show for you today and as  
always we will kick it off with uh what's going  on in cyber so mike do you want to give us some  
some background what's happening today in  the world of cyber security there's a lot of  
interesting things in the news today um we've all  been hearing about the covid tracking apps that  
several tech companies are pushing and if  you've gotten the latest apple download you've  
seen that they have an option for a covered  tractor in there but what we have found at  
least according to the news is that 85 percent of  cobit 19 tracking apps are actually leaking data  
um that would include pi data and location  data uh as well um so it's something to be  
concerned about um obviously mobile apps don't  always have the necessary security in place to  
prevent data leakage um the other thing we're  finding is that uh with the amount of people  
that are working remotely there's another news out  there called free vpns or bad for your privacy and  
a lot of it is uh that there's ads in there and  it is uh they're doing data harvesting so you're  
not as secure as you think you are using your  free vpn on the other side the secret service  
is actually looking for outsiders to help boost  financial cyber crimes probes they're trying to uh  
well get into the 21st century in only 20 years  too late but um they are working on getting into  
the 21st century and to expand their cyber crime  probes and abilities and then try and leverage the  
partnership with the private market uh the udu is  releasing interim cyber security rules uh this is  
a nist publication that will be out for comment um  and then expected to go live sometime in october  
um there's also a new document from this it's  a guide to help orgs recover from ransomware  
and data integrity attacks it's actually a nice  step-by-step guide also available for download  
we have another issue out there that identifying  the large the largest risk in supply chain  
is supply chain weak security links for 92  percent of u.s companies so that's kind of  
a big deal um a threat to more a more personal  threat or a more uh applicable threat to small  
to medium businesses that file what fileless  malware has become a crucial endpoint threat  
uh it's circumventing um existing  many existing antivirus solutions  
and in the uh other news iranian  hackers are running ramp but apparently  
iran has stepped up their cyber security game  big um and is actually a major player in this  
attacking united states in addition to china  and russia and north koreans and usual players  
something that's really kind of critical  especially during the pandemic is that a cyber  
attack hobbled a major hospital chain uh staff  is now using paper records going back to the 80s  
um so that's going on and uh the last thing  is that the ransomware crisis is getting worse  
um every day we're hearing about more and more  ransomware issues and uh this is becoming a  
big deal and lastly just going along with the  election depending on when you hear this but there  
is actually a concern that the u.s attacks could  hinder voting access information not actual voting  
but actually the process of providing the data  to uh precincts and that sort of thing for voter  
information so that's uh that's the headlines  and that's what's going on in the world today  
all right thanks for that mike i appreciate it  very much uh let's i guess give updates on the uh  
the weekly sev fives by the graces of the powers  of the universe microsoft is not on the list  
this week i'm shocked however oracle enterprise  linux if you're running oracle enterprise linux  
make sure you're looking for that postgresql  uh update there's a sub five out there uh with  
remote code execution also if you're running susie  enterprise linux you've gotta save five updates  
again uh same type of remote code execution  freebsd is also suffering from a similar  
vulnerability within samba so again if you're  running oracle susie or freebsd get out there  
on the internet find those uh those latest  patches for that step five security update and  
get those installed also drooper core uh multiple  vulnerabilities in that so if you've got drupal  
running uh make sure you're also checking checking  the sheets to find out what what patches are  
available and uh get this patch installed for this  for this f5 and that that really concludes the  
step fives of the week tackle bring it back over  to you great thanks laurel for for the next few  
episodes we'll be talking about different topics  that are in the cyber rants book and i think a  
great one to talk about right now it's october  cyber security awareness month and really it's  
all about building a security conscious culture  so we have a whole chapter and a lot more than  
a chapter that information flows throughout that  book on that topic but i think it's an important  
um and timely thing for people to think about you  know organizations right now are full bore into  
their planning for next year what are they going  to do what are the cyber security initiatives  
naturally we're having discussions with a lot  of different companies especially fast growth  
b2b tech companies um you know mid-market and  emerging organizations that want to step up to  
the next level and so we're talking about that  how do we get a security program in place it's  
not just adopted from a technical standpoint right  that's that's almost uh the easier part for most  
companies it's really how do we get buy-in from  everybody how do we get you know from from every  
every uh layer of the organization we need people  to be involved in the cyber security process  
so with that of course it starts with  leadership right so what's the number one  
biggest failure that companies make when it comes  to their cyber security what i would say is that  
the number one biggest failure companies make  their cybersecurity is failing to make a decision  
to actually put a formal cyber security program  in place most people don't know they need to do  
it they put it off and uh wait you know okay well  it's gonna happen next year or the following year  
whatever um and that's where i think you know  we're seeing the most people that you know when  
they we get calls about breaches that's that's  usually the case for those organizations is that  
they didn't actually make a decision to put  the security program in place any thoughts
yeah i got a lot of thoughts about that i mean  you're right with you know with leadership i  
think that's the most important thing so you know  you have to make a decision right so let's let's  
pretend that we've gotten past that part right so  you've made the decision you're going to put in  
cyber security program and we need to we need to  create a security conscious culture and i think i  
think that really the next step there is is is  really going to come around you know what what  
type of program do you want to put in place or is  it something that you want to do once a year is it  
something that you feel that you want to integrate  into operational processes throughout the year  
um but you know i think the next biggest challenge  aside from leadership just you know owning up to  
the fact that they they have the budget for  cyber security is something they have to do  
right or they're going to be finding other jobs  and we get breached beyond that i think it's  
really holding the employees accountable for  completing the training if you're using a uh  
you know platform based approach uh if you're  pulling everybody into a conference room  
uh with a powerpoint presentation i think that you  know with the sign-in log i think that's perfectly  
acceptable too yeah absolutely i think there's  a there's a fine line there too right because we  
we have to hold people accountable but we also  can't run a security program based on um fear  
and kind of you know run run the show with  an iron fist right it's you kind of have to  
no you want to you want to incentify absolutely  not well well let me digress a moment i think the  
iron fist approach will probably work i mean you  if you threaten people of getting fired because  
they don't take their security awareness training  that might work now you know you're probably not  
going to rank on the number one place to work  uh for businesses in the united states but i'm  
sure it'll be effective uh you know i think  incentive-based programs work better i think that  
uh you know if you if you get if you get you know  some some of your favorite local coffee place gift  
cards you know or whatever uh and you start  giving those out to people who complete the  
training early or who complete the training uh  with you know kind of you know not having to  
retake it or whatever you know they got 100 on  some of the questions i think that that offers a  
incentive and then you know kind of expanding that  out into this whole security conscious culture  
right because it doesn't it doesn't end with cyber  security awareness training it's like it's a great  
okay you got trained it's just like osha training  it's like okay we had your osha training now  
you got to look for osha related situations at  your work right the same way you got to look for  
cybersecurity-related situations at your work and  i think one of the ways that the incentive program  
does really good is when you're incentifying  your employees to walk around and look for  
i guess you know you could call them um  you know cyber security findings a great  
example of somebody who walked away from their  workstation and left their work position unlocked  
okay now you know in the past it was accepted  behavior to send emails to the boss saying that  
you know you hate him and you know you expect him  to buy everybody kegs of beer and it's haha funny  
thing right unfortunately now i don't think that's  a good idea to do but what is a good idea to do  
is to go up and do a you know a windows l or you  know something on that on that desktop to lock it  
and then go report that to your security  manager and now you can get yourself a  
starbucks gift card or whatever you know  black rifle cop company whatever the coffee  
is that you know that is surrounding  the group of the place where you're at  
right whatever your local coffee house is but i  think that's a great example of a way to enforce  
that security conscious culture in a positive way  and instead of ruling with iron fist i i disagree  
i i don't think that you know you want a bunch of  people that have very minimal security knowledge  
running around making security decisions i mean  that's that's a um and then tattling on i just  
i i don't i don't think that's the best way to  deal with it i mean you don't want to people  
a bunch of people it's almost vigilante justice  at that point um because you know the subject of  
human nature if i don't like you your computer is  unlocked all the time as far as i'm concerned or  
um you know that kind of thing so i i think that  could backfire if it's not monitored properly um  
so i think there needs to be discipline for  management there does need to be teeth for not  
for not passing the testing for not adhering to it  for continual failure to adhere to security norms  
needs to be dealt with um you know there can be  a certain amount of carrot but there does need  
to be a stick especially in today's culture sure i  don't i don't disagree with that i mean i just um  
you know i mean i i like to think that if given  the opportunity humans will tend to want to do  
the right thing especially if they're incentivized  but i mean i can't say i disagree with you with  
a bunch of rookie barely trained cyber security  people running around i'm tattling on one another  
now um you know self-policing i guess i guess  can work but i agree i think you know there  
does need to be some teeth and a stick um on  the other side of the incentive otherwise you  
know i think because i think the goal is to  be compliant right i mean you're not going to  
start a security awareness or a cyber security  conscious culture without having a goal of making  
100 you know so i i agree with you sure and then  you have to go back and you put the onus on the  
security team itself and they have to have the  proper policies in place so regardless if you know  
you walk away from your desk your desktop is going  to lock within five minutes regardless you know if  
you don't have policies like that in place um you  know acceptable usage or desktop policies in place  
then you know if i'm allowed to walk away  from my desk for an hour and it stays open  
and all my apps stay engaged that's  a failing from the security team  
that's not neces- you know that is you know it's  two parts right so there's personal responsibility  
of the user that has the computer open but there's  also the responsibility of the security team  
to make sure to give them the tools to enable them  to allow for the occasional mistake no i agree  
but there's always that one work environment  right where you've got i don't know what to  
call it but you you you'll you'll be a security  engineer and you're saying okay we're going to  
lock the screens after five minutes of inactivity  and lo and behold somebody will come and say that  
doesn't work for us and somehow management says  set it to 20 minutes or set it to 30 minutes right  
right yeah yeah where you know your best  practice is now being overwritten by some form of  
you know interdepartmental you know  hokey poke that's going on right so  
un unfortunately you know i think those are  the cases where to work but i mean to kind of  
transcend the conversation out of the corporate  environment i mean you know part of the training  
should be that the security conscious culture  is that humans are security conscious even  
when they leave the work environment and  so how do you really ensure that they're  
knowledgeable when they're getting that call that  you know the cyber attacker's saying you know yeah  
you're you know your your social security has  been compromised and you know we need you to  
uh to help us here to you know stop this leakage  of your money from your social security account  
right i mean i think that's that's another really  important part of the security conscious culture  
because i i don't think that i don't think  that training should stop when you leave the  
the place of employment you know i agree i mean  it makes it valuable to the end user if you give  
them something they can use at home i think the  the moral story there is that uh you know the  
organization has to come to terms at some level  of of risk acceptance and they have to be able  
to define that what level of risk are they willing  to accept and then out of that they can determine  
what calls management can make right can they  allow that you know uh host machine to stay  
open for a half an hour with no activity um again  they can they make those calls that are that will  
override the security department and what level  and what's the process behind that right who  
who uh ultimately gets to you know look at that  objectively and see if it's in line with their  
risk management program and then the other thing  is that i think the lesson behind all this too  
is that it really depends right there is there  is no right answer there is no the perfect  
way to build a security conscious culture  because every company culture is different  
and we've got to see the gamut right and so some  companies they have to run it with an iron fist  
you know they their culture is not there in  a place where people are necessarily held  
or hold themselves accountable and that's in those  situations especially larger organizations that  
are like that you know they they have to do things  differently than a smaller more nimble let's say  
a SaaS company for example that's a bunch of  developers and they all want to learn more  
about cyber security because it's you know they  see it as part of their their role and they they  
you know take it to heart they like learning about  technology you know that's a very very different  
culture so where you may have some of the like  what you were alluding to earlier lauro about the  
um you know starbucks gift cards or whatever it  may be essentially gamification of the security  
program that's going to work phenomenally in  some cultures and uh and have it be basically uh  
um a positive you know beneficial type uh  experience whereas in other cultures yeah you  
gotta bring down the hammer you know so i think  it's it's up to organizational leaders to really  
um take an objective look at what what is our  culture what what are they going to respond to and  
out of that build the security awareness program  and the policies and all of that because um  
you know it all has to be in place but it's also  got to match the company operations if the two are  
out of alignment it's never going to be  effective no it's not and i don't think  
that any business can i mean i understand  that you can accept risk but really can you  
you know what i mean i mean i think all of this  fallout is is eventually going to be even if  
it's just a little bit you know getting into the  headlines of the news it doesn't matter if it only  
costs you 10 grand or 12 grand you get you get a  negative impact towards your business and you know  
for those of you you know no offense but for those  of you leaders out there that are you know listen  
to this podcast and you know saying that oh we're  going to stave off cyber security for another  
year we're not going to you know do cyber security  training or we're cutting back on programming  
no one is going to shed a tear for you when you  show up on the headlines not anyone we're all  
going to chuckle you know what i mean we're  all going to chuckle in the background like  
you figured that was going to happen you know  what i mean so you know really you have a choice  
you either look at this from a scientific  perspective and and deploy this type of a  
program right that includes a building a security  conscious culture or you choose the other path  
which is going to lead you down the road of  being in the headlines at some point or another  
and i don't see there's too many options it's like  a two-prong fork i mean what would you say mike  
yeah and you also have to take into account the  compliance factor right so if you've got pci  
compliance restrictions or adherences that you  need to do if you have uh if you're overriding  
security and saying you can leave your computer  unlocked for 30 minutes that's a violation right  
there right i mean that's not going to be  allowed so you're going to have to create  
a business justification and you're going  to have to own the risk because it was your  
idea to unlock that so that's you know going back  to the responsibility of the leadership of saying  
um you know this is my decision and owning it not  pushing it onto the security team so you know yeah  
it's coming up on the security team to make sure  that management understands that they own that  
decision whoever you know decides to make that  decision owns it so right and if you're a security  
personnel write down everything and make sure  that you're you're organizing your thoughts in  
email so when you try to recommend these things  and get shot down by leadership you're at least  
saving those emails in an archive so that later  when when your profession is questioned you can  
point back to the poor decisions of leadership  uh that kind of shut down your brilliant ideas  
um you know so keep that in mind and you know  and the pci thing mike i totally agree with  
you but you've got companies doing you know  not so intelligent moves like limiting scope  
so instead of you know trying to make the whole  organization in scope where we have a continuous  
deployment of security controls holistically  they're trying to isolate just the components that  
interact with the the you know the the the the pan  data right in your data environment and and limit  
the audit just to that so now you've got the whole  rest of the environment that that has no security  
controls right you've got these 30-minute log  outs or whatever right and then you've got just  
a very small in-scope portion of your environment  focused on the good security controls and what it  
what it makes you look like holistically is you're  ten percent secure you have to look at that too  
in the company i mean how messed up are they what  was our last pci audit or if they've never had one  
you gotta start and i think you can build out  from doing a focus on just the pci group and and  
then build it out to the rest of the company you  know and take it gradually by step because i think  
if you try and swallow it all whole you might  wind up you know choking the entire company and  
elongating the process and increasing or  extending risk longer than you need to  
absolutely you certainly need to chunk it  up and roadmap it out so that it makes sense  
it's palatable for everybody yeah and and you  know like what zach was saying you know every  
every business environment we've ever been to has  always been different the cultures are different  
um you know the the dynamics around enforcement  are different and and so i think you just need  
to kind of understand your own environment and  then you know roadmap out the the major points  
of the security plan that include the security  conscious culture right developing that security  
runs training and reinforcing that but you need  to do it in a manner that is consistent with your  
specific culture your organization and so i know  there's some security guys out there that are like  
that are like mike you know there's you know they  feel like they need to go around and just enforce  
this and there's probably guys out there like  me that are like oh let's you know try to find  
a better way to incentivize people and the truth  is you probably need both you probably need the  
good top bad cop because you're going to have  you're going to have patrons and employees that  
are going to do the right thing and you're going  to have employees that don't want to do the right  
thing and i think so you know i think having that  that approach is probably helpful too but yeah you  
know you got to start somewhere you got to road  map it out you got to do it at a pace that is  
it that is you know really kind of marries well  with your your own culture and your environment  
and one of the things that you know you talk  about the good cop bad cop you do have to have  
one unified the security team itself needs to be  unified the ultimate goal so they're not you know  
it's not like the little kids going to mom saying  can i go out to a concert ask your father no you  
can't go and then go ask your mother yeah you can  go kind of thing it's you got to make sure that  
you know you have a unified plan structure you  know for the security team where you can play that  
good cop bad cop and ultimately get the agreed  upon goal that the security team is trying to get  
yeah absolutely no no the security team needs  to have a unified voice um the bad cop i was  
saying um was referring to is that you can  you could give incentives right you can give  
you know gift cards or whatever but you also need  to need to whip the stick too and so i think that  
that's kind of what i was alluding to by good cop  backup was yeah i know what you mean i mean but  
you know you don't want you know i'm gonna go talk  to lauro because he's nicer than mike you know  
kind of thing but that's true i mean and that's  what people do i mean because i am nice of you i  
mean yeah wow that's a given but you know i'm like  oh did i get you with a stick here's a gift card  
yeah now lock your damn computer yeah just as  long as you're not working it where if you let me  
hit you with a stick then you can have a gift card  because that just you know gets into another weird  
area of i.t yeah i don't know if i should give him  a gift card because i got hit with the stick by  
you or you know they tried to do the right thing  i don't know yeah anyways yeah but you know try to  
work toward a a security conscious culture i mean  i think that's you know everybody is everybody in  
your organization is part of the cyber security  team whether you like it or not they're they're  
all going to help you succeed or fail so i  think you know the more trained they are the  
more training they have the more intelligence they  have around cyber security you know weaponize them  
weaponize your people weaponize your employees  your contractors and you're going to have a  
more secure organization and you're certainly  going to have a more cyber security conscious  
culture yeah i think one of the things too is you  have to emphasize the importance of it because i  
can't i don't know if this happens to you guys  but i i can't tell you how many people i see  
that are outside of work or you know associates  that i know from the cigar shop or whatever that  
talk about that security crap training i had to  take this week you know and complain about it and  
they need to understand it's actually valuable  and it's extremely valuable and i think that  
anybody who comes out of a i mean you know  you should question your employees if they're  
if you find him at the cigar lounge complaining  about the security awareness training later  
well i find it's also from the management i mean  there's some guys i know that are vps that are  
like complaining about that's like dude of course  you got to understand you know we've got vps that  
don't even want to take the training that we've  got to sign for some of our clients right i mean  
exactly it's like your job you're  telling me that your leadership job is so  
busy and so important you can't take 30 minutes  out of your day to complete the training your  
developers did it and they're running your  software okay your it guys did it and they're  
running the infrastructure they found time to  do it but you and all your wisdom in your big  
corner office can't find 30 minutes to sit down  and take the training there's no excuse for that  
it's always the sales guy with the puka  shell necklace and the frosted tips that  
knows more than you do it always always  he's rolling he's rolling in the convertible  
you know what i mean pop down frosted tips blowing  in the wind yeah big idiot that sounds awesome
you want to get your tips frosted  yeah right i'll jump right on that  
well you'll laugh i saw i was at the um bar having  having a cigar and doing some work on my on my  
laptop and i saw a guy come in with a major  cyber security company shirt on polo shirt on  
right embossed logo all that goes to the bar  opens his laptop he's working there um his laptop  
was obviously company issued you know it had the  label on it and everything leaves it open um and  
goes to the restroom for about five minutes  open unlocked so um it's not just companies  
outside the industry that are failing at building  a security conscious culture it's it's it's even  
within the cyber security industry so oh i could  talk about some cyber security companies out there  
and i won't blackball you guys today but you you  suck i don't understand how you got so big and so  
popular the work you're doing is absolute bantha  fodder all of it so i i completely agree with you  
and you know what to be truth he probably got that  polo because one of the he he partnered with the  
var that came in and they gave him the polo for  letting him sign the gig you know what i mean i  
hope he didn't work for the security partner but  he might have it wouldn't surprise me i looked i  
looked it up by uh yeah i put a face with the name  uh oh you linked it you linked in stopped him oh  
that's a good job so he was from here i did i  i did a quick quick bit of research and uh yeah  
sure enough um oh i wish we could blackball  those companies i wish i could dox you right now  
from being at the cigar bar with your laptop open  that's okay we don't do that for a thing you know  
it's it's unfortunately not too common but you  know i think i think the point um here is and as  
we wrap it up it's it's you know there's no right  answer um for for anybody because if it was that  
easy everybody be doing it right so it's a matter  of matching your program to your company culture  
understanding what that company culture is in the  first place what it really is objectively right  
and then putting the appropriate controls in place  to both enforce and uh enforce failures and reward  
um the all the positive things and out of that  i think you're going to get a lot of good data  
points and stuff that's going on within the  organization what types of attacks are occurring  
and and you can be off to a good start and the  other thing to remember right is it doesn't  
happen overnight i mean we're to shift culture  we're talking years um so it's it's something  
that has to be worked on day in and day out um and  it's it's over time right so but it has to start  
with leadership right because if leadership's not  doing it nobody's doing it and um they're they're  
going to look up to leadership and what's you know  what are they how are they using their own devices  
you know and what's um are they leaving  their own machines unlocked you know what's  
uh going on with their actions and and the  rest will follow any final thoughts for today  
well i think you i think you closed down pretty  well you know you got to plan out you know i think  
the bigger organization you have  the longer it's going to take to  
impact the culture then the smaller organization  you have it might happen a little faster  
than yours right you know they say small ships  turn faster so it might be something you can do  
aggressively in a couple months  and it might take you 24 months  
so yeah no i think you i think you nailed  it zach it's got to start with leadership
all right well thank you very much all the uh  people listening hope this helps reach out to us  
anytime you don't have a copy of the book check it  out on amazon and uh we look forward to our next  
episode have a great day pick up your copy  today of cyber rants forbidden secrets and  
slightly embellished truths about corporate cyber  security programs frameworks and best practices  
on amazon and if you're looking to beef up  your cyber security visit us online at www join us next time for  another edition of the cyber rants podcast